A Cheap Spying Tool With a High Creepy Factor

With a handful of plastic boxes and over-the-counter sensors, including Wi-Fi adapters and a USB hub, Brendan O’Connor, a security researcher, was able to monitor all the wireless traffic emitted by nearby wireless devices.

By SOMINI SENGUPTA

August 2, 2013

Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?

Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.

Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.

Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.

“Actually it’s not hard,” he concluded. “It’s terrifyingly easy.”

Also creepy – which is why he called his contraption “creepyDOL.”

“It could be used for anything depending on how creepy you want to be,” he said.

You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed.

Mr. O’Connor says he did none of that – and for a reason. In addition to being a security researcher and founder of a consulting firm called Malice Afterthought, he is also a law student at the University of Wisconsin at Madison. He says he stuck to snooping on himself – and did not, deliberately, seek to scoop up anyone else’s data – because of a federal law called the Computer Fraud and Abuse Act.

Some of his fellow security researchers have been prosecuted under that law. One of them, Andrew Auernheimer, whose hacker alias is Weev, was sentenced to 41 months in prison for exploiting a security hole in the computer system of AT&T, which made e-mail addresses accessible for over 100,000 iPad owners; Mr. Auernheimer is appealing the case.

“I haven’t done a full deployment of this because the United States government has made a practice of prosecuting security researchers,” he contends. “Everyone is terrified.”

He is presenting his findings at two security conferences in Las Vegas this week, including at a session for young people. It is a window into how cheap and easy it is to erect a surveillance apparatus.

“It eliminates the idea of ‘blending into a crowd,'” is how he put it. “If you have a wireless device (phone, iPad, etc.), even if you’re not connected to a network, CreepyDOL will see you, track your movements, and report home.”

Can individual consumers guard against such a prospect? Not really, he concluded. Applications leak more information than they should. And those who care about security and use things like VPN have to connect to their tunneling software after connecting to a Wi-Fi hub, meaning that at least for a few seconds, their Web traffic is known to anyone who cares to know, and VPN does nothing to mask your device identifier.

In addition, every Wi-Fi network that your cellphone has connected to in the past is also stored in the device, meaning that as you wander by every other network, you share details of the Wi-Fi networks you’ve connected to in the past. “These are fundamental design flaws in the way pretty much everything works,” he said.

Correction: August 5, 2013

An earlier version of this article misspelled, in one reference, the surname of a security researcher who was sentenced to prison for hacking an AT&T computer system. As other references stated, he is Andrew Auernheimer, not Aurnheimer.